CVE-2024-39148

High

Published: 01 December 2025

Published

01 December 2025

Modified

23 December 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

The service wmp-agent of KerOS prior 5.12 does not properly validate so-called ‘magic URLs’ allowing an unauthenticated remote attacker to execute arbitrary OS commands as root when the service is reachable over network. Typically, the service is protected via local…

firewall.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the improper validation of magic URLs by requiring information input validation mechanisms to prevent code injection attacks.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation through patching to KerOS 5.12 or later, eliminating the vulnerability at its source.

SC-7 Boundary Protection good match

prevent

Enforces boundary protection via firewalls to restrict network access to the wmp-agent service, preventing remote exploitation.

Security SummaryAI

CVE-2024-39148 is a code injection vulnerability (CWE-94) in the wmp-agent service of KerOS versions prior to 5.12. The flaw arises from improper validation of so-called "magic URLs," enabling an unauthenticated remote attacker to execute arbitrary OS commands as root when the service is reachable over the network. The service is typically protected by a local firewall, and the vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting high attack complexity but severe potential impacts on confidentiality, integrity, and availability.

An unauthenticated attacker can exploit this vulnerability remotely by sending a specially crafted "magic URL" to the exposed wmp-agent service, bypassing validation and achieving arbitrary root-level command execution on the target system. Exploitation requires network access to the service, which is not the default configuration due to firewall protections, and involves high complexity in crafting the payload.

Official mitigation guidance is available in the KerOS security advisory at https://keros.docs.kerlink.com/security/security_advisories_kerOS5 and the BDO Security advisory at https://www.bdosecurity.de/en-gb/advisories/cve-2024-39148. Affected systems should be upgraded to KerOS 5.12 or later, with continued reliance on local firewalls to restrict network access to the wmp-agent service.

Details

CWE(s): CWE-94

Affected Products

kerlink

keros

5.0 — 5.12

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE-2024-39148 enables unauthenticated remote code execution as root via crafted 'magic URL' in the network-accessible wmp-agent service (T1190: Exploit Public-Facing Application) and facilitates arbitrary OS command execution on the Unix-based KerOS (T1059.004: Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://keros.docs.kerlink.com/security/security_advisories_kerOS5
Vendor Advisory · cve@mitre.org
https://www.bdosecurity.de/en-gb/advisories/cve-2024-39148
Third Party Advisory · cve@mitre.org